[ogsa-authn-bof] Use Cases

[Tom Scavo]

On 2/14/07, David Chadwick <d.w.chadwick at kent.ac.uk> wrote:
>
> I expect everyone will have multiple globally unique IDs.
> Global is however essential. Otherwise someone else could access my
> patient record as me, since their ID would be identical to mine. This is
> unacceptable.

Agreed (of course).

> So global is essential. however, as I have said before it
> is trivial to engineer. Every system already has locally unique IDs, so
> you prefix this with globally unique ID of the system.

No, I'm afraid it is not trivial.  (Sorry I have to delve into the
details again :)

Today, an IdP is mostly happy to assert eduPersonPrincipalName (e.g.,
one of my ePPNs is "trscavo at uiuc.edu").  It turns out that ePPN meets
your requirements (as I understand them) perfectly, but Internet2 is
pushing us (and relying parties in general) towards
eduPersonTargetedID.  I will show that ePTID is a very different
animal, despite the fact that it is a "globally unique ID."

An ePTID is essentially a triple:

ePTID := (IdP entityID, SP entityID, principal nameID)

The entityIDs are URIs while the nameID is opaque.  More importantly,
note that the ePTID is scoped to the SP.  That means that SP1
(GridShib CA), SP2 (shib-enabled Science Gateway), and SP3 (IdP Proxy)
all receive different nameIDs from a given IdP.  This is an important
distinction with ePPN.  It means that the Grid Service sees three
distinct users, not a single user as seems to be required.

There isn't much that can be done about this.  The ePTID is designed
to prevent collusion among SPs.  Unfortunately, that is exactly what
you want to do in the presence of intermediaries.  So ePTID does not
meet our needs (as I understand them) unless all the GridShib CAs,
shib-enabled Science Gateways, and IdP Proxies belong to the same
"affiliation".  But once you do that, the use of ePTID becomes
significantly less compelling, that is, not worth the extra work
required to deploy it.

Tom